HTC “failed to employ reasonable security” on Android, says FTC

The millions of HTC tablets and phones affected must be patched within 30 days.

On Friday, the Federal Trade Commission (FTC) announced that it had reached a settlement (PDF) with HTC over notablesecurityholes on its millions of tablets and Android handsets. HTC has now agreed to provide a patch within 30 days and be subject to a security review for the next 20 years.

“Because of the potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm,” the agency wrote in its complaint (PDF).

The agency also alleged that HTC’s user manuals “contained deceptive representations." The FTC said that the Tell HTC application, which lets users report errors to HTC, does not actually allow users to opt out of sharing their location, despite a displayed option to do so.

Among other flaws, HTC’s phones also included a preinstalled HTC custom voice application. The voice vulnerability in particular, according to the FTC, “if exploited, would provide any third-party application access to the device’s microphone, even if the third-party application had not requested permission for that functionality.”

As the agency wrote in its own original complaint:

HTC could have prevented this by including simple, well-documented software code —“permission check” code—in its voice recorder application to check that the third-party application had requested the necessary permission. Because HTC failed in numerous instances to include permission check code in its custom, pre-installed applications, any third-party application exploiting these vulnerabilities could command those HTC applications to access various sensitive information and sensitive device functionality on its behalf—including enabling the device’s microphone; accessing the user’s GPS-based, cell-based, and WiFi-based location information; and sending text messages—all without requesting the user’s permission.

I skimmed the docs linked in the article looking for a list of devices, or at least some statement like "All devices released to the market since February 2011" and came up empty. What range of products are we talking about?

Edit: whoops didn't look at the "complaint" link. That lays it out nicely, but I'll just leave this here:

Quote:

HTC undermined the Android operating system’s permission-based security model in its devices by introducing numerous “permission re-delegation” vulnerabilities through its custom, pre-installed applications. [snip] In effect, this vulnerability undermines all protections provided by Android’s permission-based security model. This vulnerability has been present on approximately 18.3 million HTC devices running Android v. 2.1.x, 2.2.x, 2.3.x, 3.0.x and certain devices that were upgraded to Android v. 4.0.x.

Quote:

Since at least June 2011, HTC has, in many of its Android-based mobile devices, included the Tell HTC error reporting tool. [snip] In truth and in fact, in some instances, if a user did not check the button marked “Add location data” when submitting an error report through the Tell HTC application, location data was nevertheless sent to HTC with the user’s error report.

It's going to be VERY interesting watching how fast this rolls out (or doesn't). If they can do it in 30 days under court order, including carrier review and approval, then it rather casts some doubt on the whole, "we deploy updates as fast as we can!" excuse we've been hearing for years now.

It's going to be VERY interesting watching how fast this rolls out (or doesn't). If they can do it in 30 days under court order, including carrier review and approval, then it rather casts some doubt on the whole, "we deploy updates as fast as we can!" excuse we've been hearing for years now.

Knowing verizon they will spend 10 months reviewing the changes and demanding more bloat and monitoring software to allow the patch in. I can honestly see them using this as an opportunity to blackmail HTC into disabling more features in android that they want people to use their payed services for. That is if any of the phones required to be patched are on verizon though.

So, having wiped my HTC for a CM7 install, I get the security benefit of having HTC voice off the phone and the snooper no longer functional, yet lose the security benefit of having a locked bootloader. You know what would fix this bootloader issue? If the device were such that you could self-sign the current OS and then enable the locked bootloader again, and it would accept self-signed in addition to google signed (but only if the same device signed it while unlocked) that would be... a better approach overall.

“Because of the potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm,”

At risk of physical injury? For real? I'm not quite understanding how these security vulnerabilities are going to cause people to get injured. Are there reports of people exploiting these security holes to physically attack others?

“Because of the potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm,”

At risk of physical injury? For real? I'm not quite understanding how these security vulnerabilities are going to cause people to get injured. Are there reports of people exploiting these security holes to physically attack others?

Why is that so far-fetched? The only reason you don't care if the world knows where you are is because no one is looking for you to do you harm. Not everyone is so fortunate.

Probably the idea that a sufficently interested party could use the phone to locate you such as an estranged spouse. Or to track law enforcement or judicial figures.

I was actually thinking of this recently.As Verizon, AT&T, Sprint, etc have placed themselves as the administrator of smart and feature phones shouldn't they have some liability should one of their customers suffer a loss due to compromised data on a phone, at least if the exploit is known and could have been patched if they did so promptly.

It's going to be VERY interesting watching how fast this rolls out (or doesn't). If they can do it in 30 days under court order, including carrier review and approval, then it rather casts some doubt on the whole, "we deploy updates as fast as we can!" excuse we've been hearing for years now.

I don't think Android updates are the issue here. The issue is HTC's crapware apps and Android tweaks that knock down the permission constraints. I suspect that every affected HTC handset will merely receive the same Android OS version they already have, minus the vulnerabilities.

If this wasn't the case, every manufacturer will eventually have to move to the latest and most secure version, v4.2.2. This won't happen. I mean there are too many underpowered devices out there already.

The risk of physical injury seems far fetched to me because their is probably only a very small percentage of people with location service turned off on their phone. It's one of those features that actually makes your smart phone "smart". Then an attacker would somehow have to get between your phone and HTC to intercept the location data which they would likely have to do with malware. Which I suppose isn't too far fetched but I have to wonder what are the odds that someone knew about these vulnerabilities, wrote some malware to exploit them and then somehow tricked their victims into installing it on their phone? Surely there must be simpler ways...

The risk of physical injury seems far fetched to me because their is probably only a very small percentage of people with location service turned off on their phone. It's one of those features that actually makes your smart phone "smart". Then an attacker would somehow have to get between your phone and HTC to intercept the location data which they would likely have to do with malware. Which I suppose isn't too far fetched but I have to wonder what are the odds that someone knew about these vulnerabilities, wrote some malware to exploit them and then somehow tricked their victims into installing it on their phone? Surely there must be simpler ways...

No. No to all of that. I'm sure you are the kind of person who posts to Facebook your exact location and what you are eating every 5 minutes, but why is that an acceptable across the board situation? "Your privacy is irrelevant, stop complaining that you can't protect it.

The risk of physical injury seems far fetched to me because their is probably only a very small percentage of people with location service turned off on their phone. It's one of those features that actually makes your smart phone "smart". Then an attacker would somehow have to get between your phone and HTC to intercept the location data which they would likely have to do with malware. Which I suppose isn't too far fetched but I have to wonder what are the odds that someone knew about these vulnerabilities, wrote some malware to exploit them and then somehow tricked their victims into installing it on their phone? Surely there must be simpler ways...

A malicious app can turn on the microphone without permission.

All they have to do is listen long enough, and they will hear where you are, and possibly what your next destination is, and intercept you.

OK. Considering that most devices have flaws in them, how is Microsoft or Oracle not being raked over the coals. They leave known holes open for months waiting until the get exploited to actually fix them. Where i sthe outrage for the FTC over them? This really seems a bit like discrimination.

Has there ever been a similar situation before, where a patch was mandated? This just seems so..... totally amazing and unexpected and new and awesome and a total smack down. Which is why I find it unbelievable. Is this an early April Fool's joke on us? Or a complete screw up like when that Republican group "accidentally" released an anti-copyright paper?

“Because of the potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm,”

At risk of physical injury? For real? I'm not quite understanding how these security vulnerabilities are going to cause people to get injured. Are there reports of people exploiting these security holes to physically attack others?

“Because of the potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm,”

At risk of physical injury? For real? I'm not quite understanding how these security vulnerabilities are going to cause people to get injured. Are there reports of people exploiting these security holes to physically attack others?

Not too hard to imagine a scenario. I used to date a lawyer whose clients were those kind of women, victims of spousal abuse. You may be surprised how horrible men can be.

True dat. There are many other uses and scenarios as well - take the recent news about Chinese military hackers performing corporate espionage for example. Or ANY government tracking foreign nationals. Or various criminal organisations pilfering all the personal data they can for identity theft or other fraudulent purposes. Or... well, you get the idea.

The 30 days aspect to this is very interesting to me though. Like everyone else here, I can't imagine it possibly happening that fast for all those phone models and Android version combos - and if it does, will the programming quality be anywhere near up to par? I can easily see this being a case of the cure being worse than the ill.

And if HTC does manage to spit something out, but can't get the carriers to pass the update along fast enough (if at all) can the carriers themselves be sued by the feds? It would be a nice way to add to the pressure on the carriers to stop inserting themselves needlessly into the software update process.

OK. Considering that most devices have flaws in them, how is Microsoft or Oracle not being raked over the coals. They leave known holes open for months waiting until the get exploited to actually fix them. Where i sthe outrage for the FTC over them? This really seems a bit like discrimination.

HTC really should get their shit together though.

I can't speak for the FTC, but there is a difference between software having security holes and negligence. I'm not aware of many (any?) cases of Microsoft leaving known exploitable flaws in their software for months or designing it in an intentionally insecure way, and my general impression is that for all the crap Microsoft gets about security, they're not doing too terrible in that department and they're getting better (I don't know enough about Oracle software to comment on that). The substance of the FTC complaint, as I understand it, is that HTC basically made a blatantly insufficient effort to secure its software and, importantly, should easily have been able to do better.

I wonder if this will become more of a problem for Android phones going forward? The way the manufacturers and carriers arbitrarily modify the software and throw it out there with patch support that hardly ever comes close to matching the length of your contract or amount of time people keep a phone just cries "security negligence" in my opinion.

Personally I'd be OK with a law that said carriers/manufacturers MUST provide software security updates for every phone they sell for at least 2 years after purchase.

Phone manufacturers and carriers have been living in this dream world where their crappy customizations provide useful value in the form of distinguishing their product. So far there hasn't been any financial downside to that stance. I hope this is a first step toward scaring all of the Android phone makers into stopping that. To discourage them, it needs to be obviously more expensive to hack on the Android code than to pass it through from Google with the minimum of changes.

I am not too optimistic about that realization taking hold though. If the manufacturers and carriers were smart, they'd have figured this out years ago. None of them can compete with Google in terms of developing software faster. They should stick to competing on hardware features, style, and similar manufacturing goals, while shipping as close to the stock releases as they can.

I am not excusing HTC. But Oracle knew about one of the recent big Java holes for some time and yet didn't put out a patch until it was exploited. If we are going to push on one OEM, we should be pushing on all of them to do better.

Based on the fact that Google sells the Nexus running straight Android, one has to wonder why HTC is even screwing with software (beyond device drivers)? I can see if Android was some hokey base OS that was not capable of running a phone without serious modifications, but the success of the Nexus shows that this is clearly not the case. This would also alleviate many of the carrier qualification hoops and speed the mitigation of security holes (by deferring the heavy lifting to Google), admittedly as long as the HTC drivers comply with Android security standards.

I am not excusing HTC. But Oracle knew about one of the recent big Java holes for some time and yet didn't put out a patch until it was exploited. If we are going to push on one OEM, we should be pushing on all of them to do better.

Of course, it's better if all companies are pushed to do better security, but it's nature for one to go for worse offenders first.As a purely hypothetical example, it's one thing Facebook may have security holes, but it's another thing if Facebook deliberately leaves a hidden URL, accessible from anywhere, without any basic protection, allowing anyone to login as any other user.

“Because of the potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm,”

...... Edited for Brevity .......

The 30 days aspect to this is very interesting to me though. Like everyone else here, I can't imagine it possibly happening that fast for all those phone models and Android version combos - and if it does, will the programming quality be anywhere near up to par? I can easily see this being a case of the cure being worse than the ill.

And if HTC does manage to spit something out, but can't get the carriers to pass the update along fast enough (if at all) can the carriers themselves be sued by the feds? It would be a nice way to add to the pressure on the carriers to stop inserting themselves needlessly into the software update process.

Well if HTC has any sense (catch that ???) I wouldn't be at all surprised to learn that they have a pile o' patches already written, quite probably with in-house testing completed, and burning a hole in a couple of servers & just waiting to be deployed. HTC's recent numbers aren't of the caliber that lull conscientious managers into complacency. HTC can't really afford to be hit with large fines and / or a temporary court ordered embargo on trade

And yes, if HTC had, some time ago, handed "beta" software off to carriers for preliminary testing, should the stated 30 days come & go as a result of carrier screw-ups, the carriers can be slapped around a bit as well.

OK. Considering that most devices have flaws in them, how is Microsoft or Oracle not being raked over the coals. They leave known holes open for months waiting until the get exploited to actually fix them. Where i sthe outrage for the FTC over them? This really seems a bit like discrimination.

HTC really should get their shit together though.

Reading the actually complaint, it sounds like it was the misrepresentations that nailed HTC. There is nothing illegal about having an insecure application in general, however telling the user that a device operates in one way, and then behaving a completely different manner amounts to deceptive and unfair trade, which is illegal. I imagine that some of the other security complaints wouldn't have held up in court, but they were freebees that HTC agreed to fix as part of the settlement.

First, I see another key difference between MS/Oracle/others and HTC. The others may have security holes which have yet to be plugged -- mostly oversights. HTC appears to have actively circumvented the innate security of the Android OS. They actually made their devices LESS secure than the base OS.

They may or may not patch these devices in time. This ruling, however, demonstrates that HTC continues to make questionable decisions in their software development, to the potential harm of their paying customers. I used to be a big HTC fan -- I've had every version of the EVO line and an HTC Flyer at various points. Now, even with the impressive-looking HTC One for this year, I am hard pressed to trust HTC for my mobile needs, mainly because of their software choices.